IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 21 January 2020 10:57 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C64B1200C1 for <txauth@ietfa.amsl.com>; Tue, 21 Jan 2020 02:57:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMwZarhxCuza for <txauth@ietfa.amsl.com>; Tue, 21 Jan 2020 02:57:13 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C319120091 for <txauth@ietf.org>; Tue, 21 Jan 2020 02:57:13 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id b6so2680134wrq.0 for <txauth@ietf.org>; Tue, 21 Jan 2020 02:57:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wGtsnrjlxJVn83lCp7+6PUDML/ATunbNDID7eFh35wg=; b=md7030okp8yVx4KxOB9CUwgNU9zCUX/Z6ap03MnqKMxKYnWL4ZCL1F6e+livXZttK8 u/hABXexYU49xFiBHvMSyRALVpw991WmkbfJF+JsafVjk1WpG4W41eEz0ijPW+dUzp5+ Pq+AHlxVrmCiM+LRyGziqp1TkTDXFbqFNPoJgbTDUP14hehycCmkY7Fpivy8Aso57isR wtFyGaRXnVsHSP4w/fNbrMO1lD8TvAF29dkhihJljq9J1AJVvxv1/1KXiRH2YGbO3UES wKEqRszbqzzZ3VavABn+R5LfkJAxLLVYn9B6PDBtkeA7dOK7kEy9R/IiN11NR/Dae5La QeTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wGtsnrjlxJVn83lCp7+6PUDML/ATunbNDID7eFh35wg=; b=GJ8KUBsH/sd9MXDeBpFL4pkMSEGJui3xhGzh3/paeWEJdMOXgQN7ASnQRwkAFFW/iI khM88uB1HfsjO/lxW6WJDyXHuG7Py9tOdOMBOUD9obJMf4aj6g0dv0itKJcPsJTlN5bR 9EavsV7z9iD3Lom6XxE0ZCgWELiBgXeJ5RgAtFrnUmsNF+wKzU7pojb+daxERcDvcAmN gnLazRJoEG6e0jL7CyqlxY7jWR3f9xzJbqXxJs92xFS3l2qCr4FDvI+qadbv42rEYr6A ryjTNF9wsqqfyVvkq/+/qangHvabKmDQ45WqdnQNQuX/cLnI6DEZRM48cODgrc/a2Thz wItQ==
X-Gm-Message-State: APjAAAXQHcdi4yyr9sgj0YKatA+Ode1uAEg8pfTIjY37vBv2lqeGqM1S ljXUR+6VkagDpc4tL4D538T9VA==
X-Google-Smtp-Source: APXvYqxc+lRNcxI9e4D3eXMHeo5GNVhedb2OPK41bVoxZA0893ueb1OMc2Jz61WTpfO9ivLZxRjEvg==
X-Received: by 2002:a5d:6ac2:: with SMTP id u2mr4342373wrw.233.1579604231631; Tue, 21 Jan 2020 02:57:11 -0800 (PST)
Received: from [10.3.21.206] (gate.haus-staade.de. [80.155.34.3]) by smtp.gmail.com with ESMTPSA id z8sm51021839wrq.22.2020.01.21.02.57.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Jan 2020 02:57:10 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <2B53E22D-2C4C-4364-9A45-285D1195E642@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_B7CBABDB-7EAD-492B-8333-79B59CD9B37A"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Tue, 21 Jan 2020 11:56:07 +0100
In-Reply-To: <F7F47DEF-DB58-4F1D-A00A-8731D44F2FA0@amazon.com>
Cc: Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
References: <741262A9-A258-40DC-87AB-0ED7515D136E@mit.edu> <F7F47DEF-DB58-4F1D-A00A-8731D44F2FA0@amazon.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/p5kH5wQEEBlwBhQ8J_12c8WFctU>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 10:57:17 -0000

another NIT: Approval of “access to” multiple resources and APIs in a single interaction

> On 20. Jan 2020, at 19:05, Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org> wrote:
> 
> NIT: Mixed verb tenses in the last sentence of paragraph 2. Replace “as well as providing” with “and provides”.
>  
> – 
> Annabelle Richard Backman
> AWS Identity
>  
>  
> From: Txauth <txauth-bounces@ietf.org> on behalf of Justin Richer <jricher@mit.edu>
> Date: Saturday, January 18, 2020 at 6:16 AM
> To: "txauth@ietf.org" <txauth@ietf.org>
> Subject: [Txauth] TxAuth Charter (Take 3.5)
>  
> Thanks for all the feedback and discussion on the last round of the charter. I’ve made a few tweaks to it based on the conversations on this list, and a couple off-list, and have incorporated them here.
>  
>>  
>> This group is chartered to develop a delegation protocol for authorization, identity, and API access. This protocol will allow an authorizing party to delegate access to client software through an authorization server. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0 and OpenID Connect (an extension of OAuth 2.0) as well as new use cases not enabled by OAuth 2.0.
>>  
>> The delegation process will be acted upon by multiple parties in the protocol, each performing a specific role. The protocol will decouple the interaction channels, such as the end user’s browser, from the delegation channel, which happens directly between the client and the authorization server (in contrast with OAuth 2.0 which is initiated by the client redirecting the user’s browser). The client and AS will involve the authorizing party as necessary through interaction mechanisms indicated by the protocol. This decoupling avoids many of the security concerns and technical challenges of OAuth 2.0 as well as providing a non-invasive path for supporting future types of clients and interaction channels.
>>  
>> Additionally, the delegation process will allow for:
>>  
>> - Fine-grained specification of access
>> - Approval of AS attestation to identity claims
>> - Approval of multiple resources and APIs in a single interaction
>> - Separation between the party authorizing access and the party operating the client requesting access
>> - Web, mobile, single-page, interaction-constrained, and other types of client applications
>>  
>> The group will define extension points for this protocol to allow for flexibility in areas including:
>>  
>> - Cryptographic agility for keys, message signatures, and proof of possession 
>> - User interaction mechanisms including web and non-web methods
>> - Mechanisms for providing user, software, organization, and other pieces of information used in authorization decisions
>> - Token presentation mechanisms and key bindings
>> - Optimization of information and API access beyond identity through the delegation process
>>  
>> Additionally, the group will provide mechanisms for management of the protocol lifecycle including:
>>  
>> - Discovery of the authorization server
>> - Revocation of active tokens
>> - Query of token rights by resource servers
>>  
>> Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new protocol where possible.
>>  
>> While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will seek to take advantage of optimization features of HTTP2 and HTTP3 where possible, and will strive to enable simple mapping to other protocols such as COAP.
>  
> I would really appreciate the security AD’s weighing in at this stage. Thanks again everyone!
>  
>  — Justin
> -- 
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email